Privacy Policy

Effective Date: March 20, 2026 · Last Updated: March 20, 2026

ThreadFlip is a Chrome extension that repurposes selected text into social media content. This policy explains what data ThreadFlip accesses, how it is used, and where it is stored.

ThreadFlip only processes text you explicitly select on a webpage.
Your OpenAI API key is encrypted locally and never sent to ThreadFlip servers.
ThreadFlip does not collect analytics, telemetry, or personal data.
ThreadFlip does not read or scrape full page content.
All user data stays in your browser via Chrome's built-in storage APIs.

1. Data We Access

Selected Text

When you right-click and choose "Repurpose with ThreadFlip" (or use the keyboard shortcut), the extension reads only the text you have highlighted via the browser's window.getSelection() API. ThreadFlip does not access any other page content, DOM elements, cookies, passwords, form inputs, or browsing history.

Current Page URL and Title

The URL and page title of the tab where you made a selection are captured alongside the selected text. This is used solely to:

Auto-detect the source platform (Twitter, Reddit, YouTube, or Blog) for appropriate text cleanup
Store metadata alongside saved library entries so you can trace content back to its origin

User-Configured Settings

You provide the following voluntarily in the settings page:

Display name
Content role (e.g. B2B Founder, Newsletter Writer)
Voice adjectives and target audience description
OpenAI API key (if using BYO mode)
Pro license key (if applicable)

2. Data Storage

Where Data Is Stored

All data is stored locally in your browser using Chrome's built-in storage APIs:

Data	Storage Location	Scope
Settings (name, role, audience, etc.)	`chrome.storage.sync`	Synced across signed-in Chrome devices
OpenAI API key (encrypted)	`chrome.storage.sync`	Synced across signed-in Chrome devices
Content library (saved generations)	`chrome.storage.local`	Local to this device only
Generation usage counter	`chrome.storage.sync`	Synced across signed-in Chrome devices

API Key Encryption

If you use the Bring Your Own Key (BYO) option, your OpenAI API key is encrypted before storage using:

Algorithm: AES-256-GCM via the Web Crypto API
Key derivation: PBKDF2 with SHA-256, 100,000 iterations
Storage format: Encrypted ciphertext + initialization vector (IV)

The plaintext key is never stored. It is decrypted in-memory only at the moment an API call is made, then discarded.

Content Library

Generated outputs can optionally be saved to a local content library. Each entry stores:

The generated text
Source URL and page title
First 100 characters of the source text
Timestamp, format, and role used
User-added tags

The library retains a maximum of 200 entries. Older entries are automatically removed when the limit is reached. You can delete individual entries or clear the entire library from the settings page.

3. Data We Send to Third Parties

OpenAI API

When you click "Generate" or "Rewrite", the selected text (after cleanup) is sent to OpenAI's API (api.openai.com) along with a system prompt that includes your configured role, audience, and voice adjectives.

If using BYO key: The request is made directly from your browser to OpenAI using your own API key. ThreadFlip has no visibility into these requests.
If using ThreadFlip credits: The request is routed through a ThreadFlip API proxy. The proxy forwards the request to OpenAI and does not log or retain the content of any prompts or completions.

ThreadFlip does not send your data to any other third-party service.

License Verification

If you enter a Pro license key, ThreadFlip sends only the license key string to a Cloudflare Worker endpoint (threadflip-license.workers.dev) to verify its validity. No personal data, selected text, or generated content is included in this request.

4. Data We Do NOT Collect

ThreadFlip does not collect, transmit, or store:

Browsing history or visited URLs (beyond the URL of the page where you make a selection)
Full page content or DOM
Cookies, authentication tokens, or session data
Form inputs, passwords, or autofill data
Device identifiers, IP addresses, or hardware information
Analytics, telemetry, crash reports, or usage metrics
Personally identifiable information beyond what you voluntarily enter in settings

5. Permissions Explained

Permission	Why It's Needed
`contextMenus`	Register the "Repurpose with ThreadFlip" right-click menu item
`sidePanel`	Open and manage the persistent side panel UI
`storage`	Store settings, encrypted API key, and content library locally
`activeTab`	Read the current tab's URL to detect the source platform
`scripting`	Inject a lightweight script to capture your text selection when the context menu is clicked
`<all_urls>`	Allow the content script to run on any page so selection capture works universally

The <all_urls> permission is required because users select text on arbitrary websites. The content script (selector.js) does only one thing: listen for text selections and forward them to the side panel. It does not read, modify, or exfiltrate any other page data.

6. Data Retention and Deletion

Settings: Persist until you change them or uninstall the extension.
API key: Persists (encrypted) until you clear it in settings or uninstall.
Content library: Persists until you delete individual items, clear the library, or uninstall.
Uninstall: Removing the extension from Chrome automatically deletes all chrome.storage.local data. chrome.storage.sync data is removed when you sign out of Chrome or manually clear extension data.

You can export your content library as CSV or Markdown at any time from the settings page before deleting.

7. Children's Privacy

ThreadFlip is not directed at children under 13. We do not knowingly collect data from children.

8. Changes to This Policy

If this privacy policy changes, the updated version will be published with a new "Last Updated" date. Continued use of the extension after changes constitutes acceptance.

Questions or data deletion requests?

arunakumariphone6@gmail.com